AdLive

I built AdLive when I was running Fotolog because I wanted a quick way to get a snapshot of the
performance of our various monetization platforms. The alternative was to log in to each and every website, and see how much money we made.
We had someone in the team do that every day and put everything in an excel spreadsheet = p-a-i-n-f-u-l-l

I've implemented a scripting language making heavy use of Xpath.
This let me add more sources without changing the code base.
Here is an example with Commission Junction:

Users requested additional platforms so I contacted them and sometimes they gave me access to their API (thanks Vibrant Media...).

After a while, some sites broke. Although I had designed it to be easily fixable, I lost interest and didn't keep it up-to-date.
It is still on the Market with some disappointed user comments ☹ Hopefully someone will take over.

RTMP swfUrl spoofing

A proof-of-concept that defeats an RTMP security measure

RTMP is the video streaming format built by Adobe for Flash.
RTMP was closed source and undocumented until Howard Chu and Andrej Stepanchuk notably reverse-engineered it to build the famous program rtmpdump.
They followed-up with librtmp that is now implemented in various open-source tools like xbmc, lifting the need for the Flash player to play RTMP video streams.

RTMP is secured by various means. One of them is to have Flash send its hosting URL (the "referring" URL) and have it validated by the server. This is called the swfUrl in the protocol.
rtmpdump implements such swfUrl masquerading. I thought it would be interesting to modify Flash so that the swfUrl is automatically adjusted to the value expected by the server.
Instead of patching Flash though, I implemented a mozilla plugin that hooks into the Flash dll and intercepts all network packets. It simply modifies the swfUrl as needed.

The interception is achieved through IAT hooking of the socket send() function. Please have a look at hook.cpp in the source.

DebugIt

I wrote this program to evaluate the security impact of incorrect usage of commonly used Win32 APIs
like RegQueryValueEx.

You typically have to call RegQueryValueEx twice: Once to get the size of the data to retrieve (and to allocate a buffer accordingly),
then another time to retrieve the actual data. Many incorrect implementations in various Windows software would only call it once, with a fixed size buffer.
It is then reasonably easy to build a stack overflow exploit with some shell code stored in the Windows registry.

I will leave it to your imagination to figure out what are the potential exploitations of such a flaw.

This program uses the Win32 Debug API to place a breakpoint on potentially exploitable Win32 function(s)
to inject large amounts of data in the application calls and detect overflows. Apologies for the half-French commented code :-/

Reverse CRC32

A home-made algorithm that forges CRC32 signatures

CRC32 is great to verify data integrity but provides no security.
Not only does it only provide 32 bit long signatures, but it is also a completely reversible algorithm.
A myriad a file formats and protocols rely on CRC32 to ensure data integrity, including zip, gzip and all their derivatives (SWF flash files, PNG).

For a given data buffer, this program allows you to produce 4 bytes of data (crc32) that will make the whole data match
a given crc32.

data input

crc32

CdMV-KEQPQM1-jerome

=>

0x00000000

X5LR-2FN6XP-jerome

=>

0x00000000

Kr7i-6L6PVS1-jerome

=>

0x00000000

GoEn-WESBA01-jerome

=>

0x00000000

xB4X-U4G18R1-deadbeefisyummy

=>

0xDEADBEEF

=>

The algorithm is made so that the whole output is valid ASCII, not some unprintable binary characters. The input data is formatted as follows:

AAAA-BBBBB-anytext

AAAA: Four bytes calculated by the program to match a given CRC32 according to the rest of the data

BBBBB: Some random ASCII characters. The algorithm restarts with a fresh BBBBB string until the first AAAA characters are valid ASCII characters

Anything, really.

At the time I wrote this program, bruteforcing CRC32 would take a few seconds to process on a desktop PC.
It is probably instantaneous by now. Still interesting for education purposes.

I've built a command line tool for Windows that implements the algorithm (get it in the download):

Usage: reverse_crc32 <input> <crc>
<input>: string that should be included in the final result
<crc>: target value for crc32 (decimal notation)

Conclusion: If you can modify 4 bytes of the data or prepend/append 4 bytes to it, then you can choose an arbitrary CRC32 checksum for it.

ASM Mod Player

A tiny embedded protracker player

I wrote this tiny program in year 2000.
It wraps together a protracker module, the AMP dll file (to play modules)
and plays the module at execution. Works fine on recent windows versions.
I am still a big fan of chip tunes :)
Here's a nice collection

Looking back at 20 years of computing, there are certainly a few things here and there that I'm a little bit ashamed of
but it's been a fun ride. Pay me a few beers (or Cointreau if you don't have time) and I'll tell you off the record :)